From: Robin Murphy <robin.murphy@arm.com>
To: Jason Gunthorpe <jgg@nvidia.com>,
acpica-devel@lists.linux.dev,
Alyssa Rosenzweig <alyssa@rosenzweig.io>,
Albert Ou <aou@eecs.berkeley.edu>,
asahi@lists.linux.dev, Catalin Marinas <catalin.marinas@arm.com>,
Dexuan Cui <decui@microsoft.com>,
devicetree@vger.kernel.org, David Woodhouse <dwmw2@infradead.org>,
Frank Rowand <frowand.list@gmail.com>,
Hanjun Guo <guohanjun@huawei.com>,
Haiyang Zhang <haiyangz@microsoft.com>,
iommu@lists.linux.dev,
Jean-Philippe Brucker <jean-philippe@linaro.org>,
Jonathan Hunter <jonathanh@nvidia.com>,
Joerg Roedel <joro@8bytes.org>,
"K. Y. Srinivasan" <kys@microsoft.com>,
Len Brown <lenb@kernel.org>,
linux-acpi@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
linux-hyperv@vger.kernel.org, linux-mips@vger.kernel.org,
linux-riscv@lists.infradead.org,
linux-snps-arc@lists.infradead.org, linux-tegra@vger.kernel.org,
Russell King <linux@armlinux.org.uk>,
Lorenzo Pieralisi <lpieralisi@kernel.org>,
Marek Szyprowski <m.szyprowski@samsung.com>,
Hector Martin <marcan@marcan.st>,
Palmer Dabbelt <palmer@dabbelt.com>,
patches@lists.linux.dev, Paul Walmsley <paul.walmsley@sifive.com>,
"Rafael J. Wysocki" <rafael@kernel.org>,
Robert Moore <robert.moore@intel.com>,
Rob Herring <robh+dt@kernel.org>,
Sudeep Holla <sudeep.holla@arm.com>,
Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
Sven Peter <sven@svenpeter.dev>,
Thierry Reding <thierry.reding@gmail.com>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
Krishna Reddy <vdumpa@nvidia.com>,
Vineet Gupta <vgupta@kernel.org>,
virtualization@lists.linux.dev, Wei Liu <wei.liu@kernel.org>,
Will Deacon <will@kernel.org>
Cc: "André Draszik" <andre.draszik@linaro.org>,
"Lu Baolu" <baolu.lu@linux.intel.com>,
"Christoph Hellwig" <hch@lst.de>,
"Jerry Snitselaar" <jsnitsel@redhat.com>,
"Moritz Fischer" <mdf@kernel.org>,
"Zhenhua Huang" <quic_zhenhuah@quicinc.com>,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
"Rob Herring" <robh@kernel.org>
Subject: Re: [PATCH v2 00/17] Solve iommu probe races around iommu_fwspec
Date: Wed, 15 Nov 2023 15:22:09 +0000 [thread overview]
Message-ID: <1316b55e-8074-4b2f-99df-585df2f3dd06@arm.com> (raw)
In-Reply-To: <0-v2-36a0088ecaa7+22c6e-iommu_fwspec_jgg@nvidia.com>
On 2023-11-15 2:05 pm, Jason Gunthorpe wrote:
> [Several people have tested this now, so it is something that should sit in
> linux-next for a while]
What's the aim here? This is obviously far, far too much for a stable
fix, but then it's also not the refactoring we want for the future
either, since it's moving in the wrong direction of cementing the
fundamental brokenness further in place rather than getting any closer
to removing it.
Thanks,
Robin.
> The iommu subsystem uses dev->iommu to store bits of information about the
> attached iommu driver. This has been co-opted by the ACPI/OF code to also
> be a place to pass around the iommu_fwspec before a driver is probed.
>
> Since both are using the same pointers without any locking it triggers
> races if there is concurrent driver loading:
>
> CPU0 CPU1
> of_iommu_configure() iommu_device_register()
> .. bus_iommu_probe()
> iommu_fwspec_of_xlate() __iommu_probe_device()
> iommu_init_device()
> dev_iommu_get()
> .. ops->probe fails, no fwspec ..
> dev_iommu_free()
> dev->iommu->fwspec *crash*
>
> My first attempt get correct locking here was to use the device_lock to
> protect the entire *_iommu_configure() and iommu_probe() paths. This
> allowed safe use of dev->iommu within those paths. Unfortuately enough
> drivers abuse the of_iommu_configure() flow without proper locking and
> this approach failed.
>
> This approach removes touches of dev->iommu from the *_iommu_configure()
> code. The few remaining required touches are moved into iommu.c and
> protected with the existing iommu_probe_device_lock.
>
> To do this we change *_iommu_configure() to hold the iommu_fwspec on the
> stack while it is being built. Once it is fully formed the core code will
> install it into the dev->iommu when it calls probe.
>
> This also removes all the touches of iommu_ops from
> the *_iommu_configure() paths and makes that mechanism private to the
> iommu core.
>
> A few more lockdep assertions are added to discourage future mis-use.
>
> This is on github: https://github.com/jgunthorpe/linux/commits/iommu_fwspec
>
> v2:
> - Fix all the kconfig randomization 0-day stuff
> - Add missing kdoc parameters
> - Remove NO_IOMMU, replace it with ENODEV
> - Use PTR_ERR to print errno in the new/moved logging
> v1: https://lore.kernel.org/r/0-v1-5f734af130a3+34f-iommu_fwspec_jgg@nvidia.com
>
> Jason Gunthorpe (17):
> iommu: Remove struct iommu_ops *iommu from arch_setup_dma_ops()
> iommmu/of: Do not return struct iommu_ops from of_iommu_configure()
> iommu/of: Use -ENODEV consistently in of_iommu_configure()
> acpi: Do not return struct iommu_ops from acpi_iommu_configure_id()
> iommu: Make iommu_fwspec->ids a distinct allocation
> iommu: Add iommu_fwspec_alloc/dealloc()
> iommu: Add iommu_probe_device_fwspec()
> iommu/of: Do not use dev->iommu within of_iommu_configure()
> iommu: Add iommu_fwspec_append_ids()
> acpi: Do not use dev->iommu within acpi_iommu_configure()
> iommu: Hold iommu_probe_device_lock while calling ops->of_xlate
> iommu: Make iommu_ops_from_fwnode() static
> iommu: Remove dev_iommu_fwspec_set()
> iommu: Remove pointless iommu_fwspec_free()
> iommu: Add ops->of_xlate_fwspec()
> iommu: Mark dev_iommu_get() with lockdep
> iommu: Mark dev_iommu_priv_set() with a lockdep
>
> arch/arc/mm/dma.c | 2 +-
> arch/arm/mm/dma-mapping-nommu.c | 2 +-
> arch/arm/mm/dma-mapping.c | 10 +-
> arch/arm64/mm/dma-mapping.c | 4 +-
> arch/mips/mm/dma-noncoherent.c | 2 +-
> arch/riscv/mm/dma-noncoherent.c | 2 +-
> drivers/acpi/arm64/iort.c | 42 ++--
> drivers/acpi/scan.c | 104 +++++----
> drivers/acpi/viot.c | 45 ++--
> drivers/hv/hv_common.c | 2 +-
> drivers/iommu/amd/iommu.c | 2 -
> drivers/iommu/apple-dart.c | 1 -
> drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 9 +-
> drivers/iommu/arm/arm-smmu/arm-smmu.c | 23 +-
> drivers/iommu/intel/iommu.c | 2 -
> drivers/iommu/iommu.c | 227 +++++++++++++++-----
> drivers/iommu/of_iommu.c | 133 +++++-------
> drivers/iommu/omap-iommu.c | 1 -
> drivers/iommu/tegra-smmu.c | 1 -
> drivers/iommu/virtio-iommu.c | 8 +-
> drivers/of/device.c | 24 ++-
> include/acpi/acpi_bus.h | 8 +-
> include/linux/acpi_iort.h | 8 +-
> include/linux/acpi_viot.h | 5 +-
> include/linux/dma-map-ops.h | 4 +-
> include/linux/iommu.h | 47 ++--
> include/linux/of_iommu.h | 13 +-
> 27 files changed, 424 insertions(+), 307 deletions(-)
>
>
> base-commit: b85ea95d086471afb4ad062012a4d73cd328fa86
next prev parent reply other threads:[~2023-11-15 15:22 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-15 14:05 [PATCH v2 00/17] Solve iommu probe races around iommu_fwspec Jason Gunthorpe
2023-11-15 14:05 ` [PATCH v2 01/17] iommu: Remove struct iommu_ops *iommu from arch_setup_dma_ops() Jason Gunthorpe
2023-11-15 14:05 ` [PATCH v2 02/17] iommmu/of: Do not return struct iommu_ops from of_iommu_configure() Jason Gunthorpe
2023-11-15 14:05 ` [PATCH v2 03/17] iommu/of: Use -ENODEV consistently in of_iommu_configure() Jason Gunthorpe
2023-11-15 14:42 ` Jerry Snitselaar
2023-11-15 14:05 ` [PATCH v2 04/17] acpi: Do not return struct iommu_ops from acpi_iommu_configure_id() Jason Gunthorpe
2023-11-15 14:45 ` Jerry Snitselaar
2023-11-15 14:05 ` [PATCH v2 05/17] iommu: Make iommu_fwspec->ids a distinct allocation Jason Gunthorpe
2023-11-15 14:05 ` [PATCH v2 06/17] iommu: Add iommu_fwspec_alloc/dealloc() Jason Gunthorpe
2023-11-19 8:10 ` Hector Martin
2023-11-19 9:19 ` Hector Martin
2023-11-19 14:13 ` Jason Gunthorpe
2023-11-21 6:47 ` Hector Martin
2023-11-21 16:00 ` Jason Gunthorpe
2023-11-23 9:08 ` Hector Martin
2023-11-15 14:05 ` [PATCH v2 07/17] iommu: Add iommu_probe_device_fwspec() Jason Gunthorpe
2023-11-15 14:05 ` [PATCH v2 08/17] iommu/of: Do not use dev->iommu within of_iommu_configure() Jason Gunthorpe
2023-11-15 14:06 ` [PATCH v2 09/17] iommu: Add iommu_fwspec_append_ids() Jason Gunthorpe
2023-11-15 14:06 ` [PATCH v2 10/17] acpi: Do not use dev->iommu within acpi_iommu_configure() Jason Gunthorpe
2023-11-15 14:06 ` [PATCH v2 11/17] iommu: Hold iommu_probe_device_lock while calling ops->of_xlate Jason Gunthorpe
2023-11-15 14:06 ` [PATCH v2 12/17] iommu: Make iommu_ops_from_fwnode() static Jason Gunthorpe
2023-11-15 15:09 ` Jerry Snitselaar
2023-11-16 14:36 ` Moritz Fischer
2023-11-15 14:06 ` [PATCH v2 13/17] iommu: Remove dev_iommu_fwspec_set() Jason Gunthorpe
2023-11-15 14:06 ` [PATCH v2 14/17] iommu: Remove pointless iommu_fwspec_free() Jason Gunthorpe
2023-11-15 14:06 ` [PATCH v2 15/17] iommu: Add ops->of_xlate_fwspec() Jason Gunthorpe
2023-11-15 14:06 ` [PATCH v2 16/17] iommu: Mark dev_iommu_get() with lockdep Jason Gunthorpe
2023-11-15 14:06 ` [PATCH v2 17/17] iommu: Mark dev_iommu_priv_set() with a lockdep Jason Gunthorpe
2023-11-15 14:54 ` [PATCH v2 00/17] Solve iommu probe races around iommu_fwspec Jerry Snitselaar
2023-11-15 15:22 ` Robin Murphy [this message]
2023-11-15 15:36 ` Jason Gunthorpe
2023-11-15 20:23 ` Robin Murphy
2023-11-16 4:17 ` Jason Gunthorpe
2023-11-21 16:06 ` Robin Murphy
2023-11-21 17:55 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1316b55e-8074-4b2f-99df-585df2f3dd06@arm.com \
--to=robin.murphy@arm.com \
--cc=acpica-devel@lists.linux.dev \
--cc=alyssa@rosenzweig.io \
--cc=andre.draszik@linaro.org \
--cc=aou@eecs.berkeley.edu \
--cc=asahi@lists.linux.dev \
--cc=baolu.lu@linux.intel.com \
--cc=catalin.marinas@arm.com \
--cc=decui@microsoft.com \
--cc=devicetree@vger.kernel.org \
--cc=dwmw2@infradead.org \
--cc=frowand.list@gmail.com \
--cc=guohanjun@huawei.com \
--cc=haiyangz@microsoft.com \
--cc=hch@lst.de \
--cc=iommu@lists.linux.dev \
--cc=jean-philippe@linaro.org \
--cc=jgg@nvidia.com \
--cc=jonathanh@nvidia.com \
--cc=joro@8bytes.org \
--cc=jsnitsel@redhat.com \
--cc=kys@microsoft.com \
--cc=lenb@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-snps-arc@lists.infradead.org \
--cc=linux-tegra@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=lpieralisi@kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=marcan@marcan.st \
--cc=mdf@kernel.org \
--cc=palmer@dabbelt.com \
--cc=patches@lists.linux.dev \
--cc=paul.walmsley@sifive.com \
--cc=quic_zhenhuah@quicinc.com \
--cc=rafael.j.wysocki@intel.com \
--cc=rafael@kernel.org \
--cc=robert.moore@intel.com \
--cc=robh+dt@kernel.org \
--cc=robh@kernel.org \
--cc=sudeep.holla@arm.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=sven@svenpeter.dev \
--cc=thierry.reding@gmail.com \
--cc=tsbogend@alpha.franken.de \
--cc=vdumpa@nvidia.com \
--cc=vgupta@kernel.org \
--cc=virtualization@lists.linux.dev \
--cc=wei.liu@kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).